Contents. Introduction. Prerequisites. Requirements. Components Used
|
|
- Julius Jacob Dennis
- 6 years ago
- Views:
Transcription
1 Contents Introduction Prerequisites Requirements Components Used Topology and flow Configure ASA Step1. Basic SSL VPN configuration Step2. CSD installation Step3. DAP policies ISE Verify CSD and AnyConnect provisioning AnyConnect VPN session with posture - non compliant AnyConnect VPN session with posture - compliant Troubleshoot AnyConnect DART References Related Cisco Support Community Discussions Introduction This configuration example presents how to perform the posture for the remote VPN sessions terminated on ASA. The posture will be performed locally by ASA using Cisco Secure Desktop with HostScan module. After VPN session is established compliant station will be allowed full network access, non compliant limited one. Also CSD and AnyConnect 4.0 provisioning flows are presented. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: Cisco ASA VPN configuration Cisco AnyConnect Secure Mobility Client Components Used The information in this document is based on these software and hardware versions: Microsoft Windows 7
2 Cisco Adaptive Security Appliance, Version 9.3 or later Cisco Identity Services Engine (ISE) Software, Versions 1.3 and Later Cisco AnyConnect Secure Mobility Client, Vesion 4.0 and Later Cisco Secure Desktop, Version 3.6 or Later Topology and flow Corporate policy is the following: Remote VPN users which are having file c:\test.txt (compliant) should have full network access to inside company resources Remote VPN users which are not having file c:\test.txt (non compliant) should have limited network access to inside company resources: only access to remediation server should be provided. File existence is the simplest example. Any other condition (antivirus, antispyware, process, application, registry) could be used. The flow is the following: Remote users does not have AnyConnect installed. They access ASA web page for CSD and AnyConnect provisioning (along with the VPN profile) Once connecting via AnyConnect non compliant user will be allowed with limited network access. Dynamic Access Policy (DAP) called FileNotExists will be matched. User performs remediation (manually install file c:\test.txt) and connects again using
3 AnyConnect. This time full network access is provided (DAP policy called FileExists will be matched). HostScan module can be installed manually on the endpoint. Example files (hostscan-win pre-deploy-k9.msi) are shared on CCO. But it could be also pushed from ASA. HostScan is a part of CSD which could be provisioned from ASA. That second approach is used in this example. For older versions of AnyConnect (3.1 and before) there was a separate package available on CCO (example: hostscan_ k9.pkg) which could have been configured and provisioned on ASA separately (using "csd hostscan image" command) - but that option is not existing anymore for AnyConnect version 4.0. Configure ASA Step1. Basic SSL VPN configuration ASA is preconfigured with basic remote VPN access (SSL). AnyConnect package has been downloaded and used. Step2. CSD installation Subsequent configuration is performed using ASDM. CSD package needs to be downloaded to flash and referenced from configuration: Without enabling Secure Desktop it would not be possible to use CSD attributes in DAP policies:
4 After enabling CSD multiple options under Secure Desktop Manager appears. Please be informed that some of them are already deprecated. More information regarding deprecated features can be found: Feature Deprecation Notice for Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection HostScan is still fully supported, new Basic HostScan rule is being added. Existence of c:\test.txt will be verified. Also additional Advanced Endpoint Assessment rule is being added:
5 That one is checking for the existence of Symantec Norton AntiVirus 20.x and Microsoft Windows Firewall 7. Posture module (HostScan) will check those values but there will be no enforcement (DAP policy will not verify that). Step3. DAP policies DAP policies are responsible for using data gathered by HostScan as conditions and apply specific attributes to the VPN session as a result. To create DAP policy from ASDM: Remote Access VPN -> Clientless SSL VPN Access -> Dynamic Access Policies: First policy (FileExists) will check tunnel-group name which is used by configured VPN profile (VPN profile configuration has been omitted for clarity). Then additional check for the file c:\test.txt is being performed:
6 As a result no actions are being performed with the default setting to permit connectivity. No ACL is being used - full network access will be provided. Details for the file check: Second policy (FileNonExists) is similar - but this time condition is "if file is not existing".
7 The result has access-list ACL1 configured. That will be applied for non compliant VPN users providing limited network access. Both DAP policies are pushing for AnyConnect access: ISE Identity Services Engine is used for user authentication. Only network device (ASA) and correct username (cisco) should be configured. That part is not covered in this article. Verify CSD and AnyConnect provisioning On the beginning user is not provisioned with AnyConnect client. User is also not compliant with the policy (the file c:\test.txt does not exist). Entering and is immediately redirected for Cisco Secure Desktop installation:
8 That can be done using Java or ActiveX. Once CSD is being installed that is being reported: Then user is being redirected for authentication: If successful AnyConnect along with configured profile is being deployed - again ActiveX or Java can be used:
9 And the VPN connection is being established: The first step for AnyConnect is to perform posture checks (HostScan) and send the reports to ASA: Then AnyConnect authenticates and finishes VPN session: AnyConnect VPN session with posture - non compliant When establishing a new VPN session using AnyConnect the first step would be the posture (HostScan) as presented on the screenshot above. Then authentication occurs and the VPN session is established:
10 ASA would report that HostScan report is being received: %ASA : Received 4 KB Hostscan data from IP < > Then performs user authentication: %ASA : AAA user authentication Successful : server = : user = cisco And starts authorization for that VPN session. When having "debug dap trace 255" enabled the information regarding the existence of "c:\test.txt" file is being returned: DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.file["1"].exists="false" DAP_TRACE: endpoint.file["1"].exists = "false" DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.file["1"].path="c:\test.txt" DAP_TRACE: endpoint.file["1"].path = "c:\\test.txt" Also information regarding Microsoft Windows Firewall: DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.fw["mswindowsfw"].exists="false" DAP_TRACE: endpoint.fw["mswindowsfw"].exists = "false" DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.fw["mswindowsfw"].description="microsoft Windows Firewall" DAP_TRACE: endpoint.fw["mswindowsfw"].description = "Microsoft Windows Firewall" DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.fw["mswindowsfw"].version="7" DAP_TRACE: endpoint.fw["mswindowsfw"].version = "7" DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.fw["mswindowsfw"].enabled="failed" DAP_TRACE: endpoint.fw["mswindowsfw"].enabled = "failed" And Symantec AntiVirus (as per HostScan Advanced Endpoint Assessment rules configured before). As a result the DAP policy is being matched: DAP_TRACE: Username: cisco, Selected DAPs:,FileNotExists That policy is forcing to use AnyConnect and also applies access-list ACL1 which provides restricted network access for the user (not compliant with the corporate policy). DAP_TRACE:The DAP policy contains the following attributes for user: cisco DAP_TRACE: DAP_TRACE:1: tunnel-protocol = svc DAP_TRACE:2: svc ask = ask: no, dflt: svc DAP_TRACE:3: action = continue DAP_TRACE:4: network-acl = ACL1 Logs presents also ACIDEX extensions which could be used by DAP policy (or even passed in Radius-Requests to ISE and being used in Authorization Rules as conditions): endpoint.anyconnect.clientversion = " "; endpoint.anyconnect.platform = "win"; endpoint.anyconnect.devicetype = "innotek GmbH VirtualBox"; endpoint.anyconnect.platformversion = " "; endpoint.anyconnect.deviceuniqueid = "A1EDD2F14F EB42C281C98DD892F7D34239AECDBB3FEA69D6567B2591"; endpoint.anyconnect.macaddress["0"] = " f-5f-64"; endpoint.anyconnect.useragent = "AnyConnect Windows "; As a result VPN session is up but with the restricted network access: ASAv2# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : cisco Index : 4
11 Assigned IP : Public IP : Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : Bytes Rx : Pkts Tx : 8 Pkts Rx : 146 Group Policy : AllProtocols Tunnel Group : TAC Login Time : 11:58:54 UTC Fri Dec Duration : 0h:07m:54s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0add d4d7e Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 4.1 Public IP : Encryption : none Hashing : none TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 22 Minutes Client OS : win Client OS Ver: Client Type : AnyConnect Bytes Tx : 5716 Bytes Rx : 764 Pkts Tx : 4 Pkts Rx : 1 SSL-Tunnel: Tunnel ID : 4.2 Assigned IP : Public IP : Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 22 Minutes Client OS : Windows Client Type : SSL VPN Client Bytes Tx : 5716 Bytes Rx : 2760 Pkts Tx : 4 Pkts Rx : 12 Filter Name : ACL1 DTLS-Tunnel: Tunnel ID : 4.3 Assigned IP : Public IP : Encryption : AES128 Hashing : SHA1 Encapsulation: DTLSv1.0 UDP Src Port : UDP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 24 Minutes Client OS : Windows Client Type : DTLS VPN Client Bytes Tx : 0 Bytes Rx : Pkts Tx : 0 Pkts Rx : 133 Filter Name : ACL1
12 ASAv2# show access-list ACL1 access-list ACL1; 1 elements; name hash: 0xe535f5fe access-list ACL1 line 1 extended permit ip any host (hitcnt=0) 0xe6492cbf AnyConnect history shows detailed steps for the posture process: 12:57:47 Contacting :58:01 Posture Assessment: Required for access 12:58:01 Posture Assessment: Checking for updates... 12:58:02 Posture Assessment: Updating... 12:58:03 Posture Assessment: Initiating... 12:58:13 Posture Assessment: Active 12:58:13 Posture Assessment: Initiating... 12:58:37 User credentials entered. 12:58:43 Establishing VPN session... 12:58:43 The AnyConnect Downloader is performing update checks... 12:58:43 Checking for profile updates... 12:58:43 Checking for product updates... 12:58:43 Checking for customization updates... 12:58:43 Performing any required updates... 12:58:43 The AnyConnect Downloader updates have been completed. 12:58:43 Establishing VPN session... 12:58:43 Establishing VPN - Initiating connection... 12:58:48 Establishing VPN - Examining system... 12:58:48 Establishing VPN - Activating VPN adapter... 12:58:52 Establishing VPN - Configuring system... 12:58:52 Establishing VPN... 12:58:52 Connected to AnyConnect VPN session with posture - compliant After creating c:\test.txt file the flow will be similar. Once new AnyConnect session is initiated the logs would indicate the existence of the file: %ASA : DAP: User cisco, Addr : Session Attribute endpoint.file["1"].exists="true" %ASA : DAP: User cisco, Addr : Session Attribute endpoint.file["1"].path="c:\test.txt" And as a result another DAP policy is being used: DAP_TRACE: Username: cisco, Selected DAPs:,FileExists The policy does not impose any ACL as the restriction for the network traffic. And the session is UP without any ACL (full network access): ASAv2# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : cisco Index : 5 Assigned IP : Public IP : Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : Bytes Rx : 6298 Pkts Tx : 8 Pkts Rx : 38 Group Policy : AllProtocols Tunnel Group : TAC Login Time : 12:10:28 UTC Fri Dec
13 Duration : 0h:00m:17s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0add d5034 Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 5.1 Public IP : Encryption : none Hashing : none TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 29 Minutes Client OS : win Client OS Ver: Client Type : AnyConnect Bytes Tx : 5716 Bytes Rx : 764 Pkts Tx : 4 Pkts Rx : 1 SSL-Tunnel: Tunnel ID : 5.2 Assigned IP : Public IP : Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 29 Minutes Client OS : Windows Client Type : SSL VPN Client Bytes Tx : 5716 Bytes Rx : 1345 Pkts Tx : 4 Pkts Rx : 6 DTLS-Tunnel: Tunnel ID : 5.3 Assigned IP : Public IP : Encryption : AES128 Hashing : SHA1 Encapsulation: DTLSv1.0 UDP Src Port : UDP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 30 Minutes Client OS : Windows Client Type : DTLS VPN Client Bytes Tx : 0 Bytes Rx : 4189 Pkts Tx : 0 Pkts Rx : 31 Also Anyconnect is reporting that HostScan is idle and waiting for the next scan request: ASAv2# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : cisco Index : 5 Assigned IP : Public IP : Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128
14 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : Bytes Rx : 6298 Pkts Tx : 8 Pkts Rx : 38 Group Policy : AllProtocols Tunnel Group : TAC Login Time : 12:10:28 UTC Fri Dec Duration : 0h:00m:17s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0add d5034 Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 5.1 Public IP : Encryption : none Hashing : none TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 29 Minutes Client OS : win Client OS Ver: Client Type : AnyConnect Bytes Tx : 5716 Bytes Rx : 764 Pkts Tx : 4 Pkts Rx : 1 SSL-Tunnel: Tunnel ID : 5.2 Assigned IP : Public IP : Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 29 Minutes Client OS : Windows Client Type : SSL VPN Client Bytes Tx : 5716 Bytes Rx : 1345 Pkts Tx : 4 Pkts Rx : 6 DTLS-Tunnel: Tunnel ID : 5.3 Assigned IP : Public IP : Encryption : AES128 Hashing : SHA1 Encapsulation: DTLSv1.0 UDP Src Port : UDP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 30 Minutes Client OS : Windows Client Type : DTLS VPN Client Bytes Tx : 0 Bytes Rx : 4189 Pkts Tx : 0 Pkts Rx : 31 For reassessment it's advised to use posture module integrated with ISE: Troubleshoot
15 AnyConnect DART AnyConnect provides Diagnostics: Which is gathering and saving all the AnyConnect logs to a zip file on the desktop. That zip file includes the logs in Cisco AnyConnect Secure Mobility Client/Anyconnect.txt. That will provide the information about ASA is requesting HostScan to gather data: Date : 12/26/2014 Time : 12:58:01 Type : Information Source : acvpnui Description : Function: ConnectMgr::processResponseString File:.\ConnectMgr.cpp Line: Invoked Function: ConnectMgr::processResponseString Return Code: 0 (0x ) Description: HostScan request detected. Then multiple other logs reveal that CSD is installed. This is the example for a CSD provisioning and subsequent AnyConnect connection along with posture: CSD detected, launching CSD Posture Assessment: Required for access
16 Gathering CSD version information. Posture Assessment: Checking for updates... CSD version file located Downloading and launching CSD Posture Assessment: Updating... Downloading CSD update CSD Stub located Posture Assessment: Initiating... Launching CSD Initializing CSD Performing CSD prelogin verification. CSD prelogin verification finished with return code 0 Starting CSD system scan. CSD successfully launched Posture Assessment: Active CSD launched, continuing until token is validated. Posture Assessment: Initiating... Checking CSD token for validity Waiting for CSD token validity result CSD token validity check completed CSD Token is now valid CSD Token validated successfully Authentication succeeded Establishing VPN session... Communication between ASA and AnyConnect is optimized, ASA requests to perform only specific checks - AnyConnect downloads additional data to be able to perform that (for example specific AntiVirus verification). When opening the case with TAC please attach Dart logs along with "show tech" and "debug dap trace 255" from ASA. References Configuring Host Scan and the Posture Module - Cisco AnyConnect Secure Mobility Client Administrator Guide Configuring Host Scan - Cisco Secure Desktop Configuration Guide Posture services on Cisco ISE Configuration Guide Cisco ISE 1.3 Administrators Guide Technical Support & Documentation - Cisco Systems
Contents. Introduction. Prerequisites. Requirements. Components Used
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ASA ISE Step 1. Configure Network Device Step 2. Configure Posture conditions and policies Step 3. Configure Client
More informationConfigure AnyConnect Secure Mobility Client using One-Time Password (OTP) for Twofactor Authentication on an ASA
Configure AnyConnect Secure Mobility Client using One-Time Password (OTP) for Twofactor Authentication on an ASA Contents Introduction Prerequisites Requirements Components Used Background Information
More informationASA AnyConnect Double Authentication with Certificate Validation, Mapping, and Pre Fill Configuration Guide
ASA AnyConnect Double Authentication with Certificate Validation, Mapping, and Pre Fill Configuration Guide Document ID: 116111 Contributed by Michal Garcarz, Cisco TAC Engineer. Jun 13, 2013 Contents
More informationContents. Introduction
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance
More informationRemote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN
Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a laptop or desktop computer connected to the Internet. This allows mobile workers
More informationAnyConnect FAQ: Tunnels, Reconnect Behavior, and the Inactivity Timer Contents
AnyConnect FAQ: Tunnels, Reconnect Behavior, and the Inactivity Timer Contents Introduction Background Information Types of Tunnels Sample Output from ASA DPDs and Inactivity Timers When is a session considered
More informationAnyConnect HostScan. Prerequisites for HostScan
The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, anti-virus, anti-spyware, and firewall software installed on the host. The HostScan
More informationCCNP Security VPN
CCNP Security VPN 642-647 Official Cert Guide Howard Hooper, CCIE No. 23470 Cisco Press 800 East 96th Street Indianapolis, IN 46240 Contents Introduction xxiv Part I ASA Architecture and Technologies Overview
More informationConfigure an External AAA Server for VPN
About External AAA Servers, page 1 Guidelines For Using External AAA Servers, page 2 Configure Multiple Certificate Authentication, page 2 Active Directory/LDAP VPN Remote Access Authorization Examples,
More informationConfigure an External AAA Server for VPN
About External AAA Servers, page 1 Guidelines For Using External AAA Servers, page 2 Configure LDAP Authorization for VPN, page 2 Active Directory/LDAP VPN Remote Access Authorization Examples, page 4
More informationSASSL v1.0 Managing Advanced Cisco SSL VPN. 3 days lecture course and hands-on lab $2,495 USD 25 Digital Version
Course: Duration: Fees: Cisco Learning Credits: Kit: 3 days lecture course and hands-on lab $2,495 USD 25 Digital Version Course Overview Managing Advanced Cisco SSL VPN (SASSL) v1.0 is an instructor-led
More informationConfigure ASA as the SSL Gateway for AnyConnect Clients using Multiple-Certificate Based Authentication
Configure ASA as the SSL Gateway for AnyConnect Clients using Multiple-Certificate Based Authentication Contents Introduction Prerequisites Requirements Components Used Background Information Limitations
More informationConfiguring AnyConnect VPN Client Connections
CHAPTER 71 This chapter describes how to configure AnyConnect VPN Client Connections and includes the following topics: Information About AnyConnect VPN Client Connections, page 71-1 Licensing Requirements
More informationConfigure Posture. Note
The AnyConnect Secure Mobility Client offers an VPN Posture (HostScan) Module and an ISE Posture Module. Both provide the Cisco AnyConnect Secure Mobility Client with the ability to assess an endpoint's
More informationASA 8.x Dynamic Access Policies (DAP) Deployment Guide
ASA 8.x Dynamic Access Policies (DAP) Deployment Guide Contents Introduction DAP and AAA Attributes DAP and Endpoint Security Attributes Default Dynamic Access Policy Configuring Dynamic Access Policies
More informationConfiguring AnyConnect VPN Client Connections
CHAPTER 72 This section describes how to configure AnyConnect VPN Client Connections and covers the following topics: Information About AnyConnect VPN Client Connections, page 72-1 Licensing Requirements
More informationCisco Secure Desktop (CSD) on IOS Configuration Example using SDM
Cisco Secure Desktop (CSD) on IOS Configuration Example using SDM Document ID: 70791 Contents Introduction Prerequisites Requirements Components Used Network Diagram Related Products Conventions Configure
More informationImplementing Core Cisco ASA Security (SASAC)
1800 ULEARN (853 276) www.ddls.com.au Implementing Core Cisco ASA Security (SASAC) Length 5 days Price $6215.00 (inc GST) Overview Cisco ASA Core covers the Cisco ASA 9.0 / 9.1 core firewall and VPN features.
More informationRemote Access VPN. Remote Access VPN Overview. Maximum Concurrent VPN Sessions By Device Model
Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a computer or other supported ios or Android device connected to the Internet.
More informationNew Features for ASA Version 9.0(2)
FIREWALL Features New Features for ASA Version 9.0(2) Cisco Adaptive Security Appliance (ASA) Software Release 9.0 is the latest release of the software that powers the Cisco ASA family. The same core
More informationSee the following screens for showing VPN connection data in graphical or tabular form for the ASA.
Connection Graphs, page 1 Statistics, page 1 Connection Graphs See the following screens for showing VPN connection data in graphical or tabular form for the ASA. Monitor IPsec Tunnels Monitoring> VPN>
More informationConfigure Posture. Note
The AnyConnect Secure Mobility Client offers an VPN Posture (HostScan) Module and an ISE Posture Module. Both provide the Cisco AnyConnect Secure Mobility Client with the ability to assess an endpoint's
More informationDynamic Access Policies
This chapter describes how to configure dynamic access policies. About, on page 1 Licensing for, on page 3 Configure, on page 3 Configure AAA Attribute Selection Criteria in a DAP, on page 6 Configure
More informationCreate and Apply Clientless SSL VPN Policies for Accessing. Connection Profile Attributes for Clientless SSL VPN
Create and Apply Clientless SSL VPN Policies for Accessing Resources, page 1 Connection Profile Attributes for Clientless SSL VPN, page 1 Group Policy and User Attributes for Clientless SSL VPN, page 3
More informationISE Version 1.3 Self Registered Guest Portal Configuration Example
ISE Version 1.3 Self Registered Guest Portal Configuration Example Document ID: 118742 Contributed by Michal Garcarz and Nicolas Darchis, Cisco TAC Engineers. Feb 13, 2015 Contents Introduction Prerequisites
More informationDeploying Cisco ASA VPN Solutions v2.0 (VPN)
Deploying Cisco ASA VPN Solutions v2.0 (VPN) Course Overview: The Deploying Cisco ASA VPN Solutions (VPN) v2.0 course is part of the curriculum path that leads to the Cisco CCNP Security certification.
More informationDynamic Access Policies
This chapter describes how to configure dynamic access policies. About, page 1 Licensing for, page 3 Configure, page 4 Configure AAA Attribute Selection Criteria in a DAP, page 6 Configure Endpoint Attribute
More informationASACAMP - ASA Lab Camp (5316)
ASACAMP - ASA Lab Camp (5316) Price: $4,595 Cisco Course v1.0 Cisco Security Appliance Software v8.0 Based on our enhanced FIREWALL and VPN courses, this exclusive, lab-based course is designed to provide
More informationFirepower Threat Defense Remote Access VPNs
About, page 1 Firepower Threat Defense Remote Access VPN Features, page 3 Firepower Threat Defense Remote Access VPN Guidelines and Limitations, page 4 Managing, page 6 Editing Firepower Threat Defense
More informationExam A QUESTION 1 An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters, tried to access the XYZ sales de
Cisco 642-647 Deploying Cisco ASA VPN Solutions (VPN v1.0) Version: Demo https://.com Exam A QUESTION 1 An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters,
More informationISE Primer.
ISE Primer www.ine.com Course Overview Designed to give CCIE Security candidates an intro to ISE and some of it s features. Not intended to be a complete ISE course. Some topics are not discussed. Provides
More informationCisco AnyConnect Secure Mobility Client
To provide secure VPN connections, the Cisco VXC 6215 supports the Cisco AnyConnect Secure Mobility Client, Release 3.1. The Cisco AnyConnect Secure Mobility client provides remote users with secure VPN
More informationConfigure Client Posture Policies
Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate
More informationClientless SSL VPN Overview
Introduction to Clientless SSL VPN, page 1 Prerequisites for Clientless SSL VPN, page 2 Guidelines and Limitations for Clientless SSL VPN, page 2 Licensing for Clientless SSL VPN, page 3 Introduction to
More informationISE Version 1.3 Hotspot Configuration Example
ISE Version 1.3 Hotspot Configuration Example Document ID: 118741 Contributed by Michal Garcarz and Nicolas Darchis, Cisco TAC Engineers. Feb 11, 2015 Contents Introduction Prerequisites Requirements Components
More informationASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example
ASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example Document ID: 116757 Contributed by Michal Garcarz, Cisco TAC Engineer. Nov 25, 2013 Contents
More informationDynamic Access Policies
This chapter describes how to configure dynamic access policies. About, on page 1 Licensing for, on page 3 Configure, on page 3 Configure AAA Attribute Selection Criteria in a DAP, on page 6 Configure
More informationCCIE Security Lab Workbook Volume I Version 3.0. Copyright Information. - i - Copyright Internetwork Expert, Inc. All rights reserved.
Copyright Information Copyright 2003 2007 Internetwork Expert, Inc. All rights reserved. The following publication, CCIE Security Lab Workbook Volume I, was developed by Internetwork Expert, Inc. All rights
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-208 Title : Implementing Cisco Secure Access Solutions Vendor : Cisco Version : DEMO Get Latest & Valid 300-208
More informationIdentity Firewall. About the Identity Firewall. This chapter describes how to configure the ASA for the Identity Firewall.
This chapter describes how to configure the ASA for the. About the, page 1 Guidelines for the, page 7 Prerequisites for the, page 9 Configure the, page 10 Collect User Statistics, page 19 Examples for
More informationExam : Title : Security Solutions for Systems Engineers. Version : Demo
Exam : 642-566 Title : Security Solutions for Systems Engineers Version : Demo 1. Which one of the following elements is essential to perform events analysis and correlation? A. implementation of a centralized
More informationNetwork Admission Control Agentless Host Support
Network Admission Control Agentless Host Support Last Updated: October 10, 2012 The Network Admission Control: Agentless Host Support feature allows for an exhaustive examination of agentless hosts (hosts
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationIdentity Firewall. About the Identity Firewall
This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History
More informationAnyConnect VPN Client Connections
This section describes how to configure. About the AnyConnect VPN Client, page 1 Licensing Requirements for AnyConnect, page 2 Configure AnyConnect Connections, page 4 Monitor AnyConnect Connections, page
More informationCisco Virtualization Experience Media Engine Overview
Cisco Virtualization Experience Media Engine Overview Purpose of This Guide, page 1 About Cisco Virtualization Experience Media Engine, page 1 Cisco AnyConnect Feature Support, page 4 Purpose of This Guide
More informationSecure Mobility. Klaus Lenssen Senior Business Development Manager Security
Secure Mobility Klaus Lenssen Senior Business Development Manager Security KL Secure Mobility 2008 Cisco Systems, Inc. All rights reserved. Cisco public 1 Complete Your Online Session Evaluation Please
More informationConfigure Client Posture Policies
Posture Service Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance
More informationChapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM
Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights
More informationPolicy User Interface Reference
Authentication, page 1 Authorization Policy Settings, page 4 Endpoint Profiling Policies Settings, page 5 Dictionaries, page 9 Conditions, page 11 Results, page 22 Authentication This section describes
More informationeigrp log-neighbor-warnings through functions Commands
CHAPTER 12 eigrp log-neighbor-warnings through functions Commands 12-1 eigrp log-neighbor-changes Chapter 12 eigrp log-neighbor-changes To enable the logging of EIGRP neighbor adjacency changes, use the
More informationConfiguring Client Posture Policies
CHAPTER 19 This chapter describes the posture service in the Cisco Identity Services Engine (Cisco ISE) appliance that allows you to check the state (posture) for all the endpoints that are connecting
More informationConfiguring an External Server for Authorization and Authentication
APPENDIXD Configuring an External Server for Authorization and Authentication This appendix describes how to configure an external LDAP, RADIUS, or TACACS+ server to support AAA on the security appliance.
More informationConfigure Client Posture Policies
Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate
More informationSSL VPN - IPv6 Support
The feature implements support for IPv6 transport over IPv4 SSL VPN session between a client, such as Cisco AnyConnect Mobility Client, and SSL VPN. Finding Feature Information, on page 1 Prerequisites
More informationCisco Exam Questions & Answers
Cisco 300-209 Exam Questions & Answers Number: 300-209 Passing Score: 800 Time Limit: 120 min File Version: 35.4 http://www.gratisexam.com/ Exam Code: 300-209 Exam Name: Implementing Cisco Secure Mobility
More informationSSL VPN - IPv6 Support
The feature implements support for IPv6 transport over IPv4 SSL VPN session between a client, such as Cisco AnyConnect Mobility Client, and SSL VPN. Finding Feature Information, page 1 Prerequisites for,
More informationCisco Passguide Exam Questions & Answers
Cisco Passguide 642-648 Exam Questions & Answers Number: 642-648 Passing Score: 800 Time Limit: 120 min File Version: 61.8 http://www.gratisexam.com/ Cisco 642-648 Exam Questions & Answers Exam Name: Deploying
More informationContents. Introduction
Contents Introduction Requirements Confirm VPN Phone License on ASA Export Restricted and Export Unrestricted CUCM Common Issues on the ASA Certificates for Use on the ASA Trustpoint/Certificate for ASA
More informationIdentity Services Engine Guest Portal Local Web Authentication Configuration Example
Identity Services Engine Guest Portal Local Web Authentication Configuration Example Document ID: 116217 Contributed by Marcin Latosiewicz, Cisco TAC Engineer. Jun 21, 2013 Contents Introduction Prerequisites
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo
Vendor: Cisco Exam Code: 300-208 Exam Name: Implementing Cisco Secure Access Solutions Version: Demo QUESTION 1 By default, how many days does Cisco ISE wait before it purges the expired guest accounts?
More informationCisco - ASA Lab Camp v9.0
Cisco - ASA Lab Camp v9.0 Code: 0007 Lengt h: 5 days URL: View Online Based on our enhanced SASAC v1.0 and SASAA v1.2 courses, this exclusive, lab-based course, provides you with your own set of equipment
More informationSSL VPN. Finding Feature Information. Prerequisites for SSL VPN
provides support in the Cisco IOS software for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer (SSL)-enabled SSL VPN gateway.
More informationCentral Web Authentication on the WLC and ISE Configuration Example
Central Web Authentication on the WLC and ISE Configuration Example Contents Introduction Prerequisites Requirements Components Used Configure WLC Configuration ISE Configuration Create the Authorization
More informationCisco CISCO Securing Networks with ASA Advanced. Practice Test. Version
Cisco 642-515 CISCO 642-515 Securing Networks with ASA Advanced Practice Test Version 3.1 QUESTION NO: 1 Cisco 642-515: Practice Exam Which two statements correctly describe configuring active/active failover?
More informationGeneral VPN Setup. ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.7 1
System Options, page 2 Configure Maximum VPN Sessions, page 3 Configure DTLS, page 3 Configure DNS Server Groups, page 4 Configure the Pool of Cryptographic Cores, page 5 Client Addressing for SSL VPN
More informationUsing ASDM to manage a FirePOWER module on ASA
Using ASDM to manage a FirePOWER module on ASA Contents Introduction Components used Prerequisites Architecture Background operation when a user connects to ASA via ASDM Step 1 The user initiates the ASDM
More informationGTA SSL Client & Browser Configuration
GB-OS Version 6.2 GTA SSL Client & Browser Configuration SSL201607-01 Global Technology Associates 3361 Rouse Rd, Suite 240 Orlando, FL 32817 Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com
More informationCisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1
Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,
More informationCisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release
:: Seite 1 von 5 :: Datenblatt zum Produkt Cisco ANYCONNECT ESSENTIALS VPN mit DC# 554678 :: Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release PB526545 Cisco ASA Software Release 8.2
More informationConfiguring L2TP over IPsec
CHAPTER 62 This chapter describes how to configure L2TP over IPsec on the ASA. This chapter includes the following topics: Information About L2TP over IPsec, page 62-1 Licensing Requirements for L2TP over
More informationConfiguring Network Admission Control
45 CHAPTER This chapter describes how to configure Network Admission Control (NAC) on Catalyst 6500 series switches. With a PFC3, Release 12.2(18)SXF2 and later releases support NAC. Note For complete
More information2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Cisco AnyConnect as a Service György Ács Regional Security Consultant Mobile User Challenges Mobile and Security Services Web Security
More informationCisco ASA 5500 LAB Guide
INGRAM MICRO Cisco ASA 5500 LAB Guide Ingram Micro 4/1/2009 The following LAB Guide will provide you with the basic steps involved in performing some fundamental configurations on a Cisco ASA 5500 series
More informationASA Clientless SSL VPN (WebVPN) Troubleshooting Tech Note
ASA Clientless SSL VPN (WebVPN) Troubleshooting Tech Note Document ID: 104298 Contents Introduction Prerequisites Requirements Components Used Conventions Troubleshooting ASA Version 7.1/7.2 Clientless
More informationPartner Webinar. AnyConnect 4.0. Rene Straube Cisco Germany. December 2014
Partner Webinar AnyConnect 4.0 Rene Straube Cisco Germany December 2014 Agenda Introduction to AnyConnect 4.0 New Licensing Scheme for AnyConnect 4.0 How to migrate to the new Licensing? Ordering & Migration
More informationL2TP over IPsec. About L2TP over IPsec/IKEv1 VPN
This chapter describes how to configure /IKEv1 on the ASA. About /IKEv1 VPN, on page 1 Licensing Requirements for, on page 3 Prerequisites for Configuring, on page 4 Guidelines and Limitations, on page
More informationConfigure Guest Flow with ISE 2.0 and Aruba WLC
Configure Guest Flow with ISE 2.0 and Aruba WLC Contents Introduction Prerequisites Requirements Components Used Background Information Guest Flow Configure Step 1. Add Aruba WLC as NAD in ISE. Step 2.
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More informationCisco ASA Software Release 8.2
Cisco ASA Software Release 8.2 Q. When will the Cisco ASA Software Release 8.2 be available? A. Cisco ASA Software Release 8.2 has a targeted release date of April 13, 2009. Q. How do I obtain Cisco ASA
More informationClientless SSL VPN End User Set-up
71 CHAPTER This section is for the system administrator who sets up Clientless (browser-based) SSL VPN for end users. It summarizes configuration requirements and tasks for the user remote system. It also
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More informationExam Questions
Exam Questions 300-209 SIMOS Implementing Cisco Secure Mobility Solutions (SIMOS) https://www.2passeasy.com/dumps/300-209/ 1. Refer to the exhibit. Which VPN solution does this configuration represent?
More informationSecure Access Troubleshooting Rewrite related issues (Core/Web Based Access)
Secure Access Troubleshooting Rewrite related issues (Core/Web Based Access) Published June 2015 Why do certain web-based applications have issues through the rewrite engine compared to accessing the resource
More informationNetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1
NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1 Revision A 2011, Palo Alto Networks, Inc. Contents Overview... 3 GlobalProtect Overview... 3 LICENSING... 3 UPGRADE... 3 Understanding the Migrated
More informationConfigure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3
Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3 Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Configuration Declare RADIUS Server on WLC Create
More informationASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.6
ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.6 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS
More informationEnhancing VMware Horizon View with F5 Solutions
Enhancing VMware Horizon View with F5 Solutions VMware Horizon View is the leading virtualization solution for delivering desktops as a managed service to a wide range of devices. F5 BIG-IP devices optimize
More informationImplementing Cisco Network Security (IINS) 3.0
Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationSet Up Policy Conditions
Policy Conditions, page 1 Simple and Compound Conditions, page 1 Policy Evaluation, page 2 Create Simple Conditions, page 2 Create Compound Conditions, page 3 Profiler Conditions, page 4 Posture Conditions,
More informationConfiguring an External Server for Authorization and Authentication
APPENDIXC Configuring an External Server for Authorization and Authentication This appendix describes how to configure an external LDAP, RADIUS, or TACACS+ server to support AAA on the adaptive security
More informationREMOTE ACCESS SSL BROWSER & CLIENT
REMOTE ACCESS SSL BROWSER & CLIENT Course 4001 1 SSL SSL - Comprised of Two Components Browser Clientless Access SSL Client SSL Browser SSL Client 2 SSL Remote Access Key Features! Part of GTA s remote
More informationConfigure Flexconnect ACL's on WLC
Configure Flexconnect ACL's on WLC Contents Introduction Prerequisites Requirements Components Used ACL Types 1. VLAN ACL ACL Directions ACL Mapping Considerations Verify if ACL is Applied on AP 2. Webauth
More informationSecuring Wireless LAN Controllers (WLCs)
Securing Wireless LAN Controllers (WLCs) Document ID: 109669 Contents Introduction Prerequisites Requirements Components Used Conventions Traffic Handling in WLCs Controlling Traffic Controlling Management
More informationCisco IOS Firewall Authentication Proxy
Cisco IOS Firewall Authentication Proxy This feature module describes the Cisco IOS Firewall Authentication Proxy feature. It includes information on the benefits of the feature, supported platforms, configuration
More informationIntroduction to the ASA
CHAPTER 1 The ASA combines advanced stateful firewall and VPN concentrator functionality in one device, and for some models, an integrated intrusion prevention module called the AIP SSM/SSC or an integrated
More informationContents. Introduction. Prerequisites. Configure. Requirements. Components Used. Network Diagram
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Traffic Flow Configurations Switch 3850-1 Switch 3850-2 ISE Verify References Related Cisco Support Community
More informationONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013
ONE POLICY Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013 Agenda Secure Unified Access with ISE Role-Based Access Control Profiling TrustSec Demonstration How ISE is Used Today
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-210 Title : Implementing Cisco Threat Control Solutions Vendor : Cisco Version : DEMO Get Latest & Valid 300-210
More informationWeb server Access Control Server
2 You can use access lists to control traffic based on the IP address and protocol. However, you must use authentication and authorization in order to control access and use for specific users or groups.
More information